Win32:Downloader-RTQ on Windows 8.1 64bit

I have Followed steps using Avast, Kaspersky, Malwarebytes and superantispyware. If we can’t get this cleaned off in this thread Im just going to wipe the machine as I will be out of options. Avast and Kaspersky both detect the win32 downloader and say they have cleaned and just require a reboot. Avast does a boot time scan at that time and when the computer rstarts the virus is detected all over again.
I have run a full scan and a quick scan with the setting you recommend with MBAM, here is my log which does not see the same malware Avast and Kasper see…

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.11.03

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.16476
Jason :: IDEA-PC [administrator]

Protection: Enabled

2014-01-11 2:45:52 PM
mbam-log-2014-01-11 (14-45-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 221216
Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Jason\Downloads\DTLite4471-0337.exe (PUP.Optional.OpenCandy) → No action taken.

(end)

I am now running OTL and will add its log in a reply.

Here is the OTL logs.

What file are they reporting as infected ?

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

.tmp files in c:windows\temp\randomized generated folder names. I dont believe these files are the originators of the virus though… they keep being regenerated.

here you go.

Did you install this programme MyStart Anti-phishing Domain Advisor

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

no I did not install mystart and combo fix says Im trying to run it in compatibility mode even though I am not and it shuts down immediatly.

The computer runs fine, has from the beginning but Im being told constantly that Im infected by every antivirus I have

http://www.bleepingcomputer.com/forums/t/511930/how-do-i-get-combofix-to-run-on-windows-81/

Hmm Combofix was supposed to be win8 compatible. Let me know if this clears it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKLM..\Run: [MyStart Anti-phishing Domain Advisor] C:\ProgramData\MyStart Anti-phishing Domain Advisor\MyStart_antiphishing.exe (Visicom Media Inc.)

:Files
C:\ProgramData\MyStart Anti-phishing Domain Advisor

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I ran your fix and have rebooted, I will let you know. Malwarebytes is contantly telling its blocking potentially malicious websites still.

It may not be related… read this

Oh, the Sites You Will Never See http://blog.malwarebytes.org/development/2013/05/oh-the-sites-you-will-never-see/

during the fix the windows 8.1 start button has disapeared.

Read the red Warning info…at top in Essexboys last post

running the quickscan now, sorry.

Here is the log file of the quick scan, and after the reboot, that button is still gone, its the button i use to get to my restart and shutdown commands as well as my programs list… it was 8.1s solution to pokki sucking as a new start button… any idea how to get it back? it looks like a house.

Rather than running Poki (which is not brilliant) you could replace it with Classic shell http://www.classicshell.net/

Are the alerts still present ?

essexboy, you seem brilliant… Im clean I think… I really appreciate it!

Try classic shell, and uninstall Poki… The start button was running from a temporary file … Pretty damn stupid place to put it

Run the system as normal for a day and let me know if it is cured

My windows 8.1 with Start8 … Classic shell is very similar

EDIT NEVERMIND I FIGURED IT OUT. Thank you for all the help.